The government issues an eID to your wallet. The ID is signed by the government and linked to the device to prevent transferring the credential. A public/private key-pair is generated by the secure enclave in your phone, the public key along with proof of possession of the private key is included in the request for the government eID. The government signs individual attributes combined with the public key with the government private key. The government certificate containing the public key is, well, public.
One of the attributes is ‘over_18’ (In the EU eID scheme countries can add other over_XX attributes if they want, but over_18 is mandatory).
When a website wants to requests attributes, in this case the over_18 attribute, they send a request to the user’s wallet app, including a challenge. The wallet sends back a package including the government-signed attribute, which contains the device public key and the over_18 attribute plus a response to the challenge (proving the credential didn’t get transferred).
The website only sees the ‘over_18’ attribute, which is backed by the government signature. They don’t see any other attributes (the wallet app shows in advance which attributes you are sharing). The government never sees which website wants to know if you’re 18+.
Of course this is all a bit simplified, check OIDC4VCI and OIDC4VP for details.
The only real issue is the wallet app and device binding. Because a compromised device could allow credentials to be transferred some form of attestation of device and wallet app is required. In practice this means no rooted/jailbroken phones.
Not true. The device's public key is also sent, which functions as a stable device identifier.
We've spent years trying to get away from stable tracking IDs and fingerprinting. Returning to a system where devices are sending a stable ID to a website to prove ownership is a step backward.
There are proposed mitigations like issuing multiple sets of credentials or rotating them, but we're not going to get an infinite number of keypairs for every website or session in the secure enclave in practice.
Another reason why these proposals aren't getting much uptake is that they aren't addressing what the lawmakers are pursuing: They don't want anonymous authorization tied to the device. They want IDs tied to accounts and a way to discourage people from sharing IDs. In the anonymous systems it only takes one person a few minutes to put an over-18 identity into a device and there's no way to determine if someone is abusing the system by stealing IDs or if someone's 18 year old brother is setting up all of their younger brothers' phones for $5 each.
The situation gets stickier when you acknowledge that it's not possible to limit all of these websites to only mobile phone devices with secure enclaves that are not jailbroken. Once you open a door to desktop devices and other OSes accessing these sites, you open the door to replaying and proxying attacks, where someone will produce those `over_18` attestations on-demand for you, possibly for a minimal price. This brings us back to the public stable identifier to discourage fraud, which means governments won't be happy to issue as many keypairs as we want, which means we're back to semi-stable fingerprints.
This is covered by allowing for single-use credentials. IIRC the EU personal IDs will use this. Basically, the wallet requests a batch of single-use eIDs that all use different device key-pairs. Each credential is only used for one request and then deleted. The wallet will automatically request new credentials in batches when they run out. The old key-pairs are deleted along with the credential so you don’t run out of space in the secure enclave.
> Another reason why these proposals aren't getting much uptake
I’m not sure what you mean by not much uptake, EU countries are required to issue and accept them for official business by the end of 2026
It doesn't prevent tokens from being stolen or sold, but the token issuer only accepts each token once and can limit the rate that tokens are issued and control how fast they expire, giving decent control over how practical using stolen or sold tokens are.
Personally - this is less acceptable to me than just having the site collect my image/id.
I'd support just putting the id in a dedicated device (ex - gov issues smart key) or just accepting that sometimes people will share id info (just like... physical ids).
It doesn't even close all the doors to transferring ids - since I can still just hand someone a phone (just like... physical ids).
https://www.smithsonianmag.com/smart-news/doppelgangers-dont...
Yeah, and no Linux PCs, no custom builds of web browsers (which would effectively become open source in theory only)—basically the end of any kind of open platform. I would much rather just scan my ID!
IMO, there are two other issues that need to be solved. The major one is that there should be some way to do attestation of devices that are not Google-certified Android or iOS. If this does not happen, the smartphone duopoly is permanently entrenched and not a fair/free market anymore. There is no way to use a smartphone without basically losing your privacy to Google/Apple and given the increasing importance of online services it's becoming increasingly impossible to live without a smartphone.
It was very disheartening that the EU reference implementation was rolled out with only Play Integrity and Apple's counterpart. IMO, this should have been solved before the reference implementation was rolled out to member countries, because many of them won't bother to go beyond that [1]. It is also completely counterproductive when it comes to EU tech sovereignty. There is a group of pioneers that are growing the sovereign ecosystems and then you cut them off.
The second, perhaps lesser, problem is that the security story is not super strong, because most Android phones do not even have a secure enclave (outside Pixel and Samsung flagships/A5x, there are very few). Instead they rely on TrustZone etc. which are regularly targeted by side-channel attacks, etc. Ironically, GrapheneOS is cut off from most of these systems (because Google Play Integrity), while it actually requires a secure enclave and is more secure than... well I guess every other smartphone.
[1] There is some hope, e.g. the developers of the Dutch identity wallet acknowledge the issue and are open to supporting alternative systems.
I have to mention that EUID is not private, since there's "provider" element which informs website if you are 18 or not. The flow is:
1) You scan QR code 2) Your EUDI wallet does verification, informs provider to tell you are 18+ 3) Provider informs website you are 18+
The EUID draft doesnt mention tech like ohttp for anonymizing requests. So there's risk of provider keeping track of who you are. So while everybody claims its fully anonymous which is just false. Government could ask website/service for the token or account information then use timestamp or token then combining with "provider" logs, your identity will be exposed.
EUID has another problem which is letting all countries implement system, which is wasteful duplication effort so this probably will be outsourced and to same company to reduce duplication efforts. Then it'll be centralized and they happen be collecting telemetry data for "experience improvements" as everysite out there do.
I haven't even mentioned biggest problems like requiring attestation Apple/Google. While spec doesn't require it, but the likehood country's app requiring it will be very high.
This is completely unacceptable. In practice, this solution means a locked down device, probably controlled by Google or Apple.
The Internet has existed without identity or age verification for more than 30 years, and there is no reason to change that.
the very first line, government issued digital id - we have been avoiding that for a very long time
how does this work on an open source operating system?
“You must be this tall to ride this ride”
“ you must be 18 to own an iPhone 18+ “
I apologize for the drive-by question, and I appreciate your takes!
This assumes that the government would be able to verify independently a phone serial number so that people’s IDs aren’t leaked. If not, then you’re back to the same thing as before since “drivers licenses” are stored by sites and shared around with advertisers
Do regular desktop and laptop computers have the same secure enclave feature?
So people in dubious legal circumstances are locked out the internet?
And there it is.
And now you're going to tell every state to do it again, but this time it's got a chip in it so "just trust the government, man".
This will go well.
Parents should be able to control what apps can be used, what websites can be viewed, who the phone is able to contact.
That doesn't require knowing my age, or anyone else's.
Also, as an iOS developer, it's not my job to parent your child. The age ratings are clear on the app store, if you give your child unrestricted access to a phone that's on you, not me. If the OS doesn't have proper controls that's on Apple/Android, again, not my fault and not something I should be forced to police.
Thanks to Texas, I can see roughly how old your kid is. I'm not supposed to keep that information though. ;) I'm sure everyone who makes app will comply with that and not use that information for any other purposes and you can bet Texas has the means to audit every app on the app store to make sure that they're complying. lol
sure, i'll put my favorite two. though you'll find much more detailed and thought-out versions of these (and others) in the dozens of other giant threads on the same topic.
- buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying.
- websites issue content tags, browsers consume them, you enter your age into the OS during setup.
This could be a good system if it's set up right. There's still some risk of being tracked if it isn't though. IDs could be linked to the cards at the time of purchase if retailers scan the drivers license, then scan the card creating a record that card #XXXXX was purchased using driver's license # XXXXX
Even if retailers aren't scanning the drivers licenses and collecting data that way, the cards and codes on those cards can be tracked and traceable to a retailer. That's how things like calling cards have been tracked. Say for example someone uses the code on a card to access a website, the police can match the code that was used to the serial number of the card, look up which retailer that card was sold at, and can then access security camera footage at that retailer to identify who bought the card from that location. This would also let them passively generate lists of IP addresses/device IDs matched to websites and specific retail locations over time.
Why should I pay continuously to prove I'm an adult? And those cards will be getting sold to kids faster than you can blink. I bet a lot of parents would buy them for their kids.
there's a reason i said 90% and not 100% effective. alcohol and tobacco get resold to kids, too.
its obviously just an illustrative guess. but if the penalty of possessing the card is similar to underage possession of alcohol/tobacco, and larger penalties if a store/person is found providing a card to someone underage, i see no reason why it wouldnt have a similar success rate as alcohol/tobacco.
hopefully some parent steps in if their kid is on the dark web trying to make purchases with their parent's credit card.
That changes the default from "anyone can do anything" to "gotta ask parents". Defaults matter at scale. It adds friction.
Good. I should be able to make judgement calls about what my children can or can’t access outside of school.
It’s better if they do it under my supervision than against my back, aided by a predator whose only moat is lending their ID, or their face.
You need to pay for a drivers license or a passport and so on. So there is an intrinsic cost to prove who you are where you are from and what your birthday is already.
You have to pay for all sorts of small things to participate in normal society. This isn't a serious criticism.
By definition this is not a life critical thing, it's something that is procured in order to access specific services on the internet, which is not free.
I have a government ID and I didn't pay for it. I can use it to travel to nearby countries in lieu of a passport. The assumption that IDs are necessarily non-free (to the issuee) is pretty funny to me.
>it's something that is procured in order to access specific services on the internet, which is not free.
The maintenance of the Internet is already paid for through ISP contracts.
It's orthogonal to the discussion, though, which is about whether we should do it or not, because the costs here aren't significant and don't change the terms of the debate.
You have to pay a cost to go out in public, since there are nudity laws. You have to pay a cost to use an airport or a train station. You have to pay a fee to prove that you own a car. And so on.
It just doesn't matter. It's not important. It's consistent with how we organize our society in general, which makes focusing on it in this one particular instance more understandable as an attempt to distract from the substantive merits of these arguments about age verification.
Okay, but the person you replied to doesn't, and instead of providing an actual answer to their question, you posed a false equivalence between proving your age and buying a computer.
>You have to pay a cost to go out in public, since there are nudity laws. You have to pay a cost to use an airport or a train station. You have to pay a fee to prove that you own a car. And so on.
You are purposefully muddying the waters by being lax with your use of language. The "cost" you "pay" by wearing appropriate attire in public is fundamentally different from the actual cost you actually pay when you engage in commerce; one is a trade of freedoms and the other is a trade of goods and/or services. If your argument is that the freedom you have to trade in exchange for the freedom to access the Internet, is that of not having to show an ID, that's one thing. If you also have to add a recurring monetary cost then that's another.
If you don't have an answer to the question of why someone should have to pay again to use the Internet beyond "*shrug* just 'cause, dude. Who cares?", then maybe you shouldn't have said anything.
Kids aren't going to trade Pokemon cards in the playground anymore...
They could also trade porn-filled thumb drive or old-school glossy paper magazine. There no way to prevent kid's exposure to stuff at a 100% success rate.
There no way to avoid exposure completely
I don't think any one of us pushing back here on those claims do so for the heck of NOT finding a "solution", rather genuinely asking because so far it seems nobody did find such a solution without compromises that is in the end not worth it due to the flaw in said solution.
The point isn't to be critical of your process, only of the claim that it's a trivial problem.
Let websites issue a "window.isUserOver(16)" call once and then move forward based on the response to that query.
This doesn't have to be perfect.
We agree it doesn't need to be 100% perfect. But it needs to be at least, like, 60% perfect, right? And unless you make it at least a bit hard to bypass, it will stop virtually no one.
Installing a new browser is already a bit hard for most people. I think you are a little skewed in your thinking being online on HN.
You also aren't thinking about age. Certainly 16 and 18 year old probably can get a new browser installed. But a 14 year old? 12 year old? 10 year old? That barrier is a lot higher the younger a kid is.
To give you an example of the workarounds kids will find: Youtube was blocked on school laptops, so the kids all started embedding Youtube videos inside of Google Sheets in order to watch stuff. This isn't, like, something a few savvy kids did, it was a widespread and common practice.
To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.
But this proposal has another problem: it's easy for a website to run isUserOver(n) in a loop to derive the exact age. And on a persistent account, it can be queried every day to derive an exact birthday! Which comes back to my main point that the only technical schemes we should be considering are ones where information strictly flows one way - the website/app supplies information to the browser/OS, which then [may] implement parental control policy. anything else fundamentally boils down to a mandate for identity verification.
This is unacceptable. If I own a computer, I expect to be able to build and run any program, either written by myself or others, without asking anyone for permission.
> And they are only required on the devices actually given to kids
My whole point is that this limits the blast radius, compared to any solution involving "age" (read: identity) verification which has a blast radius of every computing device!
Perhaps my other comment will show you where I'm coming from better: https://news.ycombinator.com/item?id=48645646
...I guess I don't really see the difference.
Closed app stores are widespread on some platforms but certainly not others, and I for one would really like them to not spread any further.
But in general there is a huge difference between the freedom-destroying properties of secure boot with closed app stores, and the next step of remote attestation. Remote attestation lets the server insist that you only run software fully of their choosing rather than your choosing, as a condition of interacting with them. This completely destroys the idea of protocols that mediate between two parties with diverging interests, and computationally disenfranchises users. Imagine the next generation of the Cloudflare nagwall that doesn't let you past unless you buy a new computer, and that new computer must be running MSWin/OSX and MSIE/Chrome.
(also note that my use of "secure boot" here includes systems like on Pixels where you can straightforwardly unlock the bootloader (erasing the data on the device), install whatever you want, and then relock. I still find these systems philosophically objectionable, as there is still a privileged key baked in and retained by the manufacturer - similar security properties could be provided without the backdoor. But pragmatically they've been working okay)
Why would that be acceptable though? What if a user does not trust the operating system? Even Linux may not be safe in the future, what with age sniffing coming by Red Hat integrating it into system already. And Red Hat plans more - xorg is abandoned on purpose, for instance.
As soon as you loosen off the requirements to "reasonable effort", you can start looking at account age, facial features, social attestation, and include retrospective tools to revisit someone's verification if they get in and start acting like a child. Heuristically messy but far from impossible to demand a stronger form of verification if their original might have been borderline.
The goal is broad coverage, not complete. Screening doesn't have to get 100% to have an effect.
There is a network effect as a child's peers stop using social media though. Make it inconvenient enough for enough for kids and they'll read a book, take up slam poetry or whatever it was kids did before our attention became currency.
Website you want to visit generates a one-time private/public key for the purpose of this login attempt, hashes your random number, and sends the hash back to you.
You connect to the government auth platform, auth yourself to your government, and ask them to sign the hash you received.
You pass the signed hash as well as the original random number to the website you wanted to access (the original random number is used by the website to store the one-time key they generated for you). They can see it is signed by the government. They can see it is made with the hash they provided.
You get access to whatever content you wanted. The website doesn't know who you are. The government doesn't know where you logged in. Sure, it won't hold up against collusion between website and government, but nothing would.
the principles explained above are slight adaptations of PKCE authentication.
Right, so it's just privacy theatre.
If your government is paying private third parties to collect data on you (hello USA), the issue is much wider, and nothing would protect you from such a government. Even without age verification, if the government is interested in spying on you, and the sites are willing to sell, they would gladly trade your IP and connection log.
Unfortunately few know and use this information although the usage via NFC is not that complicated. Have used it successfully already a few times for banks, but including name information etc.
Whenever you want to prove your adult you go to "am I an adult.gov" and you use your credit card or whatever to prove you are an adult. At which point you get a 1-time 5-digit code that is UNIVERSAL TO EVERY SINGLE HUMAN and good for 1 hour (everybody who uses the site gets the same code that hour).
Then when you want to look at porn or something, you use this code. Boom simple and done.
There are even much better much more private techniques that use cryptography, and AI is happy to explain these graduate-degree level topics to you at your own pace.
Of course there are situations where people steal things, and use deep-fakes, etc, but those exist in every model.
Design a scheme that equips parents with better tools to be better parents, rather than one that reduces the scope of parenting responsibilities.
But, for some reason, little twelve year old Jimmy obtaining access to porn evokes some kind of far more visceral reaction in Jimmy's parents (or if not Jimmy's parents, some "busybody" who wants to "protect all the children") than Jimmy managing to get himself a pack of Salem's or a Pabst Blue Ribbon tallboy.
Because right now there's next to no barrier to access compared to Jimmy getting himself a beer. If you keep saying "Your proposal sucks because it isn't perfect and we should do nothing" then you're essentially surrendering to the people who really want facial scans.
This sort of pedantry is really just supporting the opposition.
I think the only thing I actually have any concern about is phones and social media use for kids, and I think that has a much easier solution than any sorting of tracking-BS.
Isn't this the logical end goal of basically every approach to "age verification", though? If you really want to control access to the internet, then you can't let people have a VPN or Tor, and if you don't want people to VPNs or Tor then you need to lock the device down.
AFAIK you don’t need ID to buy juice, sugar, and yeast to make your own alcohol, so I think it should be the same for computer parts.
I and pretty much everyone else in my childhood TeamSpeak server did at roughly 14 years of age.
Maybe for the next few years you'll be able to do that. Analogy: back in the day you could just build your own airplane and fly it around. There were no regulations.
Consider "log in with apple" as it is today. Depending on what you share, a relying website might not even get your name or email.
It seems like all the tech stack is there to implement a very simple and privacy-persevering solution.
It does not even smell of state censorship because a website does not have to check your age if it decides to be "non compliant".
Why isn't it implemented like that? Based on the comments it seems more like a "free-for-all implement-your-own-PPI-handling-thon".
This will ofc make life harder for a some groups of people - like people without / limited access to IDs etc. And i do not even argue that the whole thing is necessary.
But there seem to be vastly superior technical means to implement that, aren't there?
Knowing who someone is in general is different from having a photo of their face or government ID confirmation.
I presume you're concerned by the attesting party's knowledge of both the signature and identify information. Yes, in principle these can be linked, but in practice, it may be difficult or made very difficult, and today, very little of our online activity is really anonymous anyway. It is generally not too difficult to infer identity based on the content someone generates and the bread crumbs they leave behind.
Of course, if the intent is to use age verification as a wedge to monitor everyone, then it will be difficult politically to secure the protections needed to prevent that sort of data fusion.